ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
27-09-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

5.5MB
MD5

a92a908cae30b9b020244bedf61a1dd4
SHA1

a45bf660ae267b2c8027327b2b97c61faa88d9ae
SHA256

ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308
SHA512

beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba
SSDEEP

98304:pHrMX3ZbN6mocwdMpXYI6A2XwY0o7r5QBa2lAo3WTsKVnd/9lSD/WFIxUBzqHy:1MnZZPocwGpoRRXwY9rb2moBKVd/9lEJ

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	O.exe
308	O.exe
2004	O.exe

Loads dropped DLL 1 IoCs

pid	Process
2660	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2176	tmp.exe
2760	O.exe
308	O.exe
2004	O.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2208	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2772	timeout.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2660	2176	tmp.exe	29
PID 2176 wrote to memory of 2660	2176	tmp.exe	29
PID 2176 wrote to memory of 2660	2176	tmp.exe	29
PID 2176 wrote to memory of 2660	2176	tmp.exe	29
PID 2660 wrote to memory of 2772	2660	cmd.exe	30
PID 2660 wrote to memory of 2772	2660	cmd.exe	30
PID 2660 wrote to memory of 2772	2660	cmd.exe	30
PID 2660 wrote to memory of 2772	2660	cmd.exe	30
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2660 wrote to memory of 2760	2660	cmd.exe	31
PID 2760 wrote to memory of 2208	2760	O.exe	32
PID 2760 wrote to memory of 2208	2760	O.exe	32
PID 2760 wrote to memory of 2208	2760	O.exe	32
PID 2760 wrote to memory of 2208	2760	O.exe	32
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 308	2320	taskeng.exe	37
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38
PID 2320 wrote to memory of 2004	2320	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1og.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\ProgramData\Roaming\O.exe
    "C:\ProgramData\Roaming\O.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "O" /tr C:\ProgramData\Roaming\O.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2208

C:\Windows\system32\taskeng.exe
taskeng.exe {4C120ADE-71D8-4C1F-B940-6CD1A6DED354} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:308
- C:\ProgramData\Roaming\O.exe
  C:\ProgramData\Roaming\O.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1og.0.bat

Filesize
168B

MD5
13195858fd7718c422bd01df9a56337e

SHA1
6d19d50cdfc691b84bb9486b4864d0d96fc94b8a

SHA256
ef72348b27a53a53beba54dfb4315a40ae85d708cdc035380c7c6affe5c6074b

SHA512
0878dde0b4ef18ad492692e4c2bad41fca6e8e06f584314fb283f0e5b841d65ca22c7d0de9dcb855f9559e6cfb0d508407328c67c1c74f43a88cdfbf16684cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1og.0.bat

Filesize
168B

MD5
13195858fd7718c422bd01df9a56337e

SHA1
6d19d50cdfc691b84bb9486b4864d0d96fc94b8a

SHA256
ef72348b27a53a53beba54dfb4315a40ae85d708cdc035380c7c6affe5c6074b

SHA512
0878dde0b4ef18ad492692e4c2bad41fca6e8e06f584314fb283f0e5b841d65ca22c7d0de9dcb855f9559e6cfb0d508407328c67c1c74f43a88cdfbf16684cd5

Download Submit
\ProgramData\Roaming\O.exe

Filesize
5.5MB

MD5
a92a908cae30b9b020244bedf61a1dd4

SHA1
a45bf660ae267b2c8027327b2b97c61faa88d9ae

SHA256
ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

SHA512
beab8787db9e978c0db067f0cbc2acff56033f1343bbde5ed6ff364b9ce241cdac00c33f66e799ad6a693a7dd7eb54274c11010fa4c087b18a31fb408cd10fba

Download Submit
memory/308-54-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/308-55-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/308-53-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/308-48-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/308-43-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2004-66-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2004-71-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2004-72-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2004-73-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-22-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-0-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-11-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-10-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-9-0x0000000077A40000-0x0000000077A42000-memory.dmp

Filesize
8KB

Download
memory/2176-4-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2176-1-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2660-27-0x0000000001FB0000-0x0000000002DAA000-memory.dmp

Filesize
14.0MB

Download
memory/2760-39-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2760-38-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2760-37-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2760-32-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download
memory/2760-28-0x0000000000400000-0x00000000011FA000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads